SlideShare a Scribd company logo

Introduction to OAuth

Paul Osman, profile picture
Paul Osman

OAuth is an open standard for token-based authorization that allows third-party applications to obtain limited access to a user's data without requiring them to share their passwords. It allows sites to exchange user-authorized tokens that can be revoked and have varying scopes and time limits. OAuth has gone through several versions to address vulnerabilities and inconsistencies, with OAuth 2.0 simplifying the protocol through the use of bearer tokens and authorization/resource server separation. While implementations are emerging, OAuth 2.0 continues to be refined as an IETF draft standard.

Technology
1 of 49
Downloaded 184 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
OAuth: Open Standard for Sharing #OpenWebTO - June 1st, 2010
the problem
Introduction to OAuth
Introduction to OAuth
password anti-pattern
Introduction to OAuth
Sharing without passwords. Sites exchange user authorized tokens. Tokens can be revoked. Tokens can be scoped. Tokens can be time-limited.
Introduction to OAuth
Terminology has changed a lot. These slides are old school.
Introduction to OAuth
some history 12/07 - OAuth 1.0 06/08 - OAuth 1.0a 11/09 - OAuth WRAP 03/10 - OAuth 2.0 Draft 1 04/10 - RFC 5849 05/10 - OpenID Connect
OAuth 1.0a addresses a session fixation vulnerability discovered in the original spec.
Step 1. Attacker initiates OAuth authorization
Step 2. Tricks victim into visiting authorization URI specially crafted for nefarious purposes (attacker specifies the callback).
Step 3. User enters their credentials at the authorization page, unwittingly authorizing the attacker's request token. User is redirected to a URI determined by the attacker.
Step 4. Attacker completes the OAuth workflow. Has access to the victim's protected resources.
Step 5. $$$
The Result Inconsistent implementations. Different fixes for older providers. Be aware.
OAuth 1.0a Protocol Overview
Introduction to OAuth
Endpoint URIs Request Token URL User Authorization URL Access Token URL
Request a Request Token
Example: Twitter Request: POST /oauth/request HTTP/1.1 Host: local.eval.ca:8000 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="79013965", oauth_timestamp="1275364485", oauth_consumer_key="TgF80q20x4j4kPRTiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="PmA%2FUWGZSN%2B%2FYZ0ak4yHAtT7in8%3D" Response: oauth_token=ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0& oauth_token_secret=YGgcxX60kCHyoGiO2LhE0gfWXxZyJQnfBzpp64djykU
Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="92490670", oauth_timestamp="1275365018", oauth_consumer_key="oauthprovider", oauth_signature_method="PLAINTEXT", oauth_version="1.0", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26", oauth_callback="http%3A%2F%2Flocal.eval.ca%3A8000%2Foauth%2Fcallback%2F" Response: oauth_token=YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2& oauth_token_secret=gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh& oauth_callback_confirmed=true
Redirect user to Authorization URI Twitter: http://twitter.com/oauth/authorize?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: https://subdomain.freshbooks.com/oauth/oauth_authorize.php?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
Handle Callback Twitter: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 &oauth_verifier=zzUWbPe1nOYkG9dzb8nm9X7t6gzbjW4l9kIAeRLQs
Exchange authorized Request Token for Access Token
Example: Twitter Request: Authorization: OAuth realm="", oauth_nonce="83131550", oauth_timestamp="1275364497", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0", oauth_signature="K1J5Q7TgU2S81FDLcDHrscRazGM%3D" Response: oauth_token=149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo& oauth_token_secret=BWZ5riq707pP4gpb8dRguD2NmhSiHt7XdA1O99YGGI& user_id=149686823&screen_name=freshnotifydemo
Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" Response: oauth_token=yF53TK3Ya6eQdWPNWLuZZTviHWZaKXLrh&oauth_token_secret=UCrmxWriVsyD69URtQd6u7NQxFhiTpXBW
Accessing a Protected Resource
Example: Twitter Request: POST /1/statuses/update.json HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="46002159", oauth_timestamp="1275366995", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo", oauth_signature="bfvQGgVVL8EQ15KiGKN8WQHVhts%3D" status=Ohai. Response: { a lot of JSON }
Example: FreshBooks Request: POST /api/2.1/xml-in HTTP/1.1 ... Content-Type: application/xml Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" <request method="invoice.list" /> Response: <response status="ok"> A bunch of XML </response>
Common Questions What about Desktop & Mobile applications? What the heck is OAuth WRAP? What does OAuth have to do with OpenID? What is up with OAuth 2?
OAuth 2.0
Problems with OAuth 1.0 Complex cryptographic requirements Poor user experience for desktop / mobile Performance at scale
OAuth 2.0 OAuth 2.0 defines authorization flows. User Delegation Flows Direct Credentials Flows Autonomous Flows
User Delegation Flows User-Agent Flow Web Server Flow Device Flow
Direct credentials Flows Username and Password Flow Client Credentials Flow
Autonomous flows: Assertion Flow
OAuth 2.0 Bearer tokens over SSL Simpler signatures Short lived tokens with refresh tokens Authorization server and resource server
Progress
OAuth 2.0 is currently in its 5th version of an IETF Draft.
There are implementations in the wild including Facebook, 37 Signals and Github.
There are Objective C, Python and Ruby libraries available with varying degrees of completeness.
So things are looking good, but as always when working with something this new...
Introduction to OAuth
Resources http://oauth.net/ http://tools.ietf.org/html/rfc5849 http://hueniverse.com/oauth/ http://tools.ietf.org/html/draft-ietf-oauth-v2-07
Introduction to OAuth
thank you! Paul Osman paul@eval.ca

More Related Content

PPTX
OAuth1.0
G Jayendra Kartheek
 
PDF
Authorization with oAuth
Vivastream
 
PDF
Building a Microgateway in Ballerina_KubeCon 2108
Ballerina
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PDF
Building an API Security Ecosystem
Prabath Siriwardena
 
PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
OAuth1.0
G Jayendra Kartheek
 
Authorization with oAuth
Vivastream
 
Building a Microgateway in Ballerina_KubeCon 2108
Ballerina
 
Demystifying OAuth 2.0
Karl McGuinness
 
OAuth 2.0
Uwe Friedrichsen
 
Building an API Security Ecosystem
Prabath Siriwardena
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
REST Service Authetication with TLS & JWTs
Jon Todd
 

What's hot (19)

PDF
OAuth2
SPARK MEDIA
 
PDF
OAuth 2.0 and Library
Kenji Otsuka
 
PPTX
An Introduction to OAuth2
Aaron Parecki
 
PDF
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
PPTX
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
PPTX
Single-Page-Application & REST security
Igor Bossenko
 
PDF
Implementing OAuth
leahculver
 
PDF
2016 pycontw web api authentication
Micron Technology
 
PPTX
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
PDF
Pushed Authorization Requests
Torsten Lodderstedt
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PDF
Rich Authorization Requests
Torsten Lodderstedt
 
PDF
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
PDF
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv
 
PPTX
Pentest Expectations
Ihor Uzhvenko
 
PPTX
JWT Authentication with AngularJS
robertjd
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
OAuth2
SPARK MEDIA
 
OAuth 2.0 and Library
Kenji Otsuka
 
An Introduction to OAuth2
Aaron Parecki
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Single-Page-Application & REST security
Igor Bossenko
 
Implementing OAuth
leahculver
 
2016 pycontw web api authentication
Micron Technology
 
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
Pushed Authorization Requests
Torsten Lodderstedt
 
OAuth2 - Introduction
Knoldus Inc.
 
Rich Authorization Requests
Torsten Lodderstedt
 
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv
 
Pentest Expectations
Ihor Uzhvenko
 
JWT Authentication with AngularJS
robertjd
 
OAuth2 + API Security
Amila Paranawithana
 
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Ad

Viewers also liked (20)

PPT
Cultural diff
JessWalker1
 
PPS
30種快樂的方式
t828vp
 
PPTX
Isoiec Guide 65 Ias Ac 370 General Overview
rcoiner
 
PDF
Infrastrutture prioritarie __calabria[1]
mattone84
 
PPTX
Robinson bosc2010 bio_hdf
BOSC 2010
 
PPTX
Chapter 7 Presentation
Veronica Deja DeRosa
 
PDF
Hemmerich bosc2010 isga_ergatis
BOSC 2010
 
PPTX
Teaser Fontein visie huisgroepen 2010/2011
Windesheim University of Applied Sciences
 
PPT
Cocre art meeting ceuta
CVO-SSH
 
PDF
Bonnal bosc2010 bio_ruby
BOSC 2010
 
PPTX
안드로이드스터디 6
jangpd007
 
DOC
Marcellus Shale
mkenergygroup
 
PPTX
Yahoo mobile & broadcast surround
Devan McCoy
 
PPTX
Utube
Thomas Klose
 
PPTX
NRTEE: Pierre Lundahl
Izabela Popova
 
PPTX
Closing Panel: Jane Comeault
Izabela Popova
 
PPTX
4 scenarios voor de toekomst van bibliotheken
Erna Winters
 
PPTX
NRTEE: Kirsten Vice
Izabela Popova
 
PDF
Louise Cohen | PROJECTS
polyvalent designer at www.louisecohen.nl
 
PDF
Identityworks
jacksm
 
Cultural diff
JessWalker1
 
30種快樂的方式
t828vp
 
Isoiec Guide 65 Ias Ac 370 General Overview
rcoiner
 
Infrastrutture prioritarie __calabria[1]
mattone84
 
Robinson bosc2010 bio_hdf
BOSC 2010
 
Chapter 7 Presentation
Veronica Deja DeRosa
 
Hemmerich bosc2010 isga_ergatis
BOSC 2010
 
Teaser Fontein visie huisgroepen 2010/2011
Windesheim University of Applied Sciences
 
Cocre art meeting ceuta
CVO-SSH
 
Bonnal bosc2010 bio_ruby
BOSC 2010
 
안드로이드스터디 6
jangpd007
 
Marcellus Shale
mkenergygroup
 
Yahoo mobile & broadcast surround
Devan McCoy
 
Utube
Thomas Klose
 
NRTEE: Pierre Lundahl
Izabela Popova
 
Closing Panel: Jane Comeault
Izabela Popova
 
4 scenarios voor de toekomst van bibliotheken
Erna Winters
 
NRTEE: Kirsten Vice
Izabela Popova
 
Louise Cohen | PROJECTS
polyvalent designer at www.louisecohen.nl
 
Identityworks
jacksm
 
Ad

Similar to Introduction to OAuth (20)

PPTX
OAuth 2 at Webvisions
Aaron Parecki
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
PDF
[LDAPCon 2015] The OpenID Connect Protocol
Clément OUDOT
 
PDF
The Current State of OAuth 2
Aaron Parecki
 
PPTX
Demystifying REST
Kirsten Hunter
 
PDF
OAuth2 Authentication
Ismael Costa
 
PDF
O auth how_to
vivaqa
 
PPT
UserCentric Identity based Service Invocation
guestd5dde6
 
PDF
OAuth簡介
firestoke
 
PDF
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
PPTX
An Introduction to OAuth 2
Aaron Parecki
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
PDF
Nk API - examples
nasza-klasa
 
PDF
Secure Webservices
Matthias Käppler
 
PDF
Some OAuth love
Nicolas Blanco
 
PDF
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
PDF
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
PDF
WSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2
 
PDF
[OSSParis 2015] The OpenID Connect Protocol
Clément OUDOT
 
OAuth 2 at Webvisions
Aaron Parecki
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
[LDAPCon 2015] The OpenID Connect Protocol
Clément OUDOT
 
The Current State of OAuth 2
Aaron Parecki
 
Demystifying REST
Kirsten Hunter
 
OAuth2 Authentication
Ismael Costa
 
O auth how_to
vivaqa
 
UserCentric Identity based Service Invocation
guestd5dde6
 
OAuth簡介
firestoke
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
An Introduction to OAuth 2
Aaron Parecki
 
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Nk API - examples
nasza-klasa
 
Secure Webservices
Matthias Käppler
 
Some OAuth love
Nicolas Blanco
 
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
WSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2
 
[OSSParis 2015] The OpenID Connect Protocol
Clément OUDOT
 

Recently uploaded (20)

PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
A Presentation on Artificial Intelligence
memembruh336
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Spectroscopy.pptx food analysis technology
nawahassan45
 

Introduction to OAuth

  • 1. OAuth: Open Standard for Sharing #OpenWebTO - June 1st, 2010
  • 7. Sharing without passwords. Sites exchange user authorized tokens. Tokens can be revoked. Tokens can be scoped. Tokens can be time-limited.
  • 9. Terminology has changed a lot. These slides are old school.
  • 11. some history 12/07 - OAuth 1.0 06/08 - OAuth 1.0a 11/09 - OAuth WRAP 03/10 - OAuth 2.0 Draft 1 04/10 - RFC 5849 05/10 - OpenID Connect
  • 12. OAuth 1.0a addresses a session fixation vulnerability discovered in the original spec.
  • 13. Step 1. Attacker initiates OAuth authorization
  • 14. Step 2. Tricks victim into visiting authorization URI specially crafted for nefarious purposes (attacker specifies the callback).
  • 15. Step 3. User enters their credentials at the authorization page, unwittingly authorizing the attacker's request token. User is redirected to a URI determined by the attacker.
  • 16. Step 4. Attacker completes the OAuth workflow. Has access to the victim's protected resources.
  • 18. The Result Inconsistent implementations. Different fixes for older providers. Be aware.
  • 21. Endpoint URIs Request Token URL User Authorization URL Access Token URL
  • 23. Example: Twitter Request: POST /oauth/request HTTP/1.1 Host: local.eval.ca:8000 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="79013965", oauth_timestamp="1275364485", oauth_consumer_key="TgF80q20x4j4kPRTiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="PmA%2FUWGZSN%2B%2FYZ0ak4yHAtT7in8%3D" Response: oauth_token=ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0& oauth_token_secret=YGgcxX60kCHyoGiO2LhE0gfWXxZyJQnfBzpp64djykU
  • 24. Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="92490670", oauth_timestamp="1275365018", oauth_consumer_key="oauthprovider", oauth_signature_method="PLAINTEXT", oauth_version="1.0", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26", oauth_callback="http%3A%2F%2Flocal.eval.ca%3A8000%2Foauth%2Fcallback%2F" Response: oauth_token=YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2& oauth_token_secret=gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh& oauth_callback_confirmed=true
  • 25. Redirect user to Authorization URI Twitter: http://twitter.com/oauth/authorize?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: https://subdomain.freshbooks.com/oauth/oauth_authorize.php?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
  • 26. Handle Callback Twitter: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 &oauth_verifier=zzUWbPe1nOYkG9dzb8nm9X7t6gzbjW4l9kIAeRLQs
  • 27. Exchange authorized Request Token for Access Token
  • 28. Example: Twitter Request: Authorization: OAuth realm="", oauth_nonce="83131550", oauth_timestamp="1275364497", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0", oauth_signature="K1J5Q7TgU2S81FDLcDHrscRazGM%3D" Response: oauth_token=149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo& oauth_token_secret=BWZ5riq707pP4gpb8dRguD2NmhSiHt7XdA1O99YGGI& user_id=149686823&screen_name=freshnotifydemo
  • 29. Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" Response: oauth_token=yF53TK3Ya6eQdWPNWLuZZTviHWZaKXLrh&oauth_token_secret=UCrmxWriVsyD69URtQd6u7NQxFhiTpXBW
  • 31. Example: Twitter Request: POST /1/statuses/update.json HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="46002159", oauth_timestamp="1275366995", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo", oauth_signature="bfvQGgVVL8EQ15KiGKN8WQHVhts%3D" status=Ohai. Response: { a lot of JSON }
  • 32. Example: FreshBooks Request: POST /api/2.1/xml-in HTTP/1.1 ... Content-Type: application/xml Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" <request method="invoice.list" /> Response: <response status="ok"> A bunch of XML </response>
  • 33. Common Questions What about Desktop & Mobile applications? What the heck is OAuth WRAP? What does OAuth have to do with OpenID? What is up with OAuth 2?
  • 35. Problems with OAuth 1.0 Complex cryptographic requirements Poor user experience for desktop / mobile Performance at scale
  • 36. OAuth 2.0 OAuth 2.0 defines authorization flows. User Delegation Flows Direct Credentials Flows Autonomous Flows
  • 37. User Delegation Flows User-Agent Flow Web Server Flow Device Flow
  • 38. Direct credentials Flows Username and Password Flow Client Credentials Flow
  • 39. Autonomous flows: Assertion Flow
  • 40. OAuth 2.0 Bearer tokens over SSL Simpler signatures Short lived tokens with refresh tokens Authorization server and resource server
  • 42. OAuth 2.0 is currently in its 5th version of an IETF Draft.
  • 43. There are implementations in the wild including Facebook, 37 Signals and Github.
  • 44. There are Objective C, Python and Ruby libraries available with varying degrees of completeness.
  • 45. So things are looking good, but as always when working with something this new...
  • 47. Resources http://oauth.net/ http://tools.ietf.org/html/rfc5849 http://hueniverse.com/oauth/ http://tools.ietf.org/html/draft-ietf-oauth-v2-07
  • 49. thank you! Paul Osman paul@eval.ca